SOC 2 Type II

Operational

Management's Description of the System Template

Section 3 of SOC 2 Type 2 report — mandatory narrative describing infrastructure, software, people, procedures, and data per AICPA Description Criteria DC 200 (2018 revision).

What This Policy Covers

System Overview and Background-Company history, mission, and service positioning.

Services Provided and Scope of the Report-Services in scope, products covered, and the Trust Services Criteria selected (Security / Availability / Confidentiality / Processing Integrity / Privacy).

Principal Service Commitments and System Requirements-Commitments made to customers and the system requirements that support them.

Infrastructure-Cloud regions, data centers, network architecture, hardware boundaries.

Software-Operating systems, databases, application stack, and supporting tools (monitoring, logging, IDS, SIEM).

People-Organizational structure, functional teams, headcount by role, and reporting lines.

Procedures-Summary of documented procedures — onboarding, access management, change management, incident response, access reviews.

Data-Data types, classification scheme, data flows (ingress/egress), retention, and protection at rest/in transit.

System Boundaries-What is included vs excluded from the system description.

Subservice Organizations-Third-party providers in scope (AWS, Okta, etc.), carve-out vs inclusive method, and the complementary controls expected at each subservice.

Control Environment-Tone at the top, ethics, board oversight, competence commitment (CC1.1–CC1.5).

Risk Assessment Process-How the organization identifies, analyzes, and responds to risk (CC3.1–CC3.4).

Information and Communication Systems-Internal and external communication channels for security matters (CC2.1–CC2.3).

Monitoring Activities-Ongoing and separate evaluations of controls (CC4.1–CC4.2).

Complementary User Entity Controls (CUECs)-Controls the customer must implement for the service commitments to be achieved.

Significant Changes During the Period-Material changes to the system during the observation period.

Identified System Incidents-System incidents during the observation period disclosed per SSAE 21 (or explicitly "None identified").

Required Sections

A compliant Management's Description of the System for SOC 2 Type II must include the following17 sections. Each section addresses a specific control requirement that auditors will review.

System Overview and Background

Company history, mission, and service positioning.

Services Provided and Scope of the Report

Services in scope, products covered, and the Trust Services Criteria selected (Security / Availability / Confidentiality / Processing Integrity / Privacy).

Principal Service Commitments and System Requirements

Commitments made to customers and the system requirements that support them.

Infrastructure

Cloud regions, data centers, network architecture, hardware boundaries.

Software

Operating systems, databases, application stack, and supporting tools (monitoring, logging, IDS, SIEM).

People

Organizational structure, functional teams, headcount by role, and reporting lines.

Procedures

Summary of documented procedures — onboarding, access management, change management, incident response, access reviews.

Data

Data types, classification scheme, data flows (ingress/egress), retention, and protection at rest/in transit.

System Boundaries

What is included vs excluded from the system description.

Subservice Organizations

Third-party providers in scope (AWS, Okta, etc.), carve-out vs inclusive method, and the complementary controls expected at each subservice.

Control Environment

Tone at the top, ethics, board oversight, competence commitment (CC1.1–CC1.5).

Risk Assessment Process

How the organization identifies, analyzes, and responds to risk (CC3.1–CC3.4).

Information and Communication Systems

Internal and external communication channels for security matters (CC2.1–CC2.3).

Monitoring Activities

Ongoing and separate evaluations of controls (CC4.1–CC4.2).

Complementary User Entity Controls (CUECs)

Controls the customer must implement for the service commitments to be achieved.

Significant Changes During the Period

Material changes to the system during the observation period.

Identified System Incidents

System incidents during the observation period disclosed per SSAE 21 (or explicitly "None identified").

Generate a Customized Version

This template shows the required structure. PoliWriter generates a fully customized Management's Description of the System that references your actual cloud providers, identity systems, tools, and team practices — ready for auditor review.

Generate Customized Management's Description of the System